https://apt.puppetlabs.com/
This document describes how to install and configure Puppet on Ubuntu 14.04server, I will also connect a puppet client with Ubuntu 14.04 desktop. Puppet is a configuration management system that allows you to define the state of your IT infrastructure, then automatically enforces the correct state. Whether you're managing just a few servers or thousands of physical and virtual machines, Puppet automates tasks that sysadmins often do manually, freeing up time and mental space so sysadmins can work on the projects that deliver greater business value.
Whether you're deploying vendor-supplied applications or working with a team of internal software developers, Puppet automates every step of the software delivery process: from provisioning of physical and virtual machines to orchestration and reporting; from early-stage code development through testing, production release and updates. Puppet ensures consistency, reliability and stability. It also facilitates closer collaboration between sysadmins and developers, enabling more efficient delivery of cleaner, better-designed code.
1 Preliminary Note
This tutorial is based on Ubuntu 14.04 server and Ubuntu 14.04 desktop, so you should set up a basic Ubuntu 14.04 server and desktop installation before you continue with this tutorial. The system should have a static IP address. I use192.168.0.100 as my IP address of Ubuntu server and 192.168.0.101 as IP of Ubuntu desktop in this tutorial and server1.example.com as the hostname of Ubuntu server and desktop1.example.com as the hostname of Ubuntu desktop.
In Ubuntu server and Ubuntu Desktop there must be this entry in the /etc/hostsfile. These entries will be common in both Server and client.
nano /etc/hosts
[...] 192.168.0.100 server1.example.com server1 192.268.0.101 desktop1.example.com desktop1
In addition to that both Server and Desktop must have time sync, it will processed in both Server and Desktop machines as follows:
ntpdate pool.ntp.org ; apt-get update && sudo apt-get -y install ntp ; service ntp restart
2 Puppet master installation at Ubuntu Server 14.04
To install Puppet master we will the latest repository and install the Puppet as follows:
cd /tmp
wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
dpkg -i puppetlabs-release-trusty.deb
apt-get update
wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
dpkg -i puppetlabs-release-trusty.deb
apt-get update
apt-get install puppetmaster
Check the puppet version as:
puppet -V
root@server1:/tmp# puppet -V
3.7.1
root@server1:/tmp#
3.7.1
root@server1:/tmp#
We have puppet version as 3.7.1. Now we need to lock the puppet version update as this will hamper the configurations while updating the puppet. It will be done by editing the file as follows:
nano /etc/apt/preferences.d/00-puppet.pref
Add the entries in the newly created file as:
# /etc/apt/preferences.d/00-puppet.pref
Package: puppet puppet-common puppetmaster-passenger
Pin: version 3.7*
Pin-Priority: 501
It will not update the Puppet while running updates in the system.
Next we will change the configuration file as follows:
nano /etc/puppet/puppet.conf
[main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter #templatedir=$confdir/templates [master] # These are needed when the puppetmaster is run by passenger # and can safely be removed if webrick is used. ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY
Just comment the line templatedir=$confdir/templates and save the file.
Now we will stop and then start the services:
service puppetmaster stop
service puppetmaster start
service puppetmaster start
Now the master puppet server is ready.
3 Puppet client installation at Ubuntu Desktop 14.04
Now our aim is to install and configure Ubuntu Desktop as the Puppet client for the Puppet master Ubuntu Server. Your client must be configured for the /etc/hosts in addition to that your Ubuntu Desktop must be time synced file as mentioned in above Chapter 1. Next we will install Puppet as follows:
cd /tmp
wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
dpkg -i puppetlabs-release-trusty.deb
apt-get update
wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
dpkg -i puppetlabs-release-trusty.deb
apt-get update
apt-get install puppet
Check the puppet version as:
puppet -V
root@desktop1:/tmp# puppet -V3.7.1
root@desktop1:/tmp#
We have puppet version as 3.7.1. Now we need to lock the puppet version update as this will hamper the configurations while updating the puppet. It will be done by editing the file as follows:
nano /etc/apt/preferences.d/00-puppet.pref
Add the entries in the newly created file as:
# /etc/apt/preferences.d/00-puppet.pref
Package: puppet puppet-common puppetmaster-passenger
Pin: version 3.7*
Pin-Priority: 501
It will not update the Puppet while running updates in the system.
Next we will change the configuration file as follows:
nano /etc/puppet/puppet.conf
[main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter #templatedir=$confdir/templates #[master] ## These are needed when the puppetmaster is run by passenger ## and can safely be removed if webrick is used. #ssl_client_header = SSL_CLIENT_S_DN #ssl_client_verify_header = SSL_CLIENT_VERIFY [agent] server = server1.example.com
Just comment the lines as mentioned above and add the agent entries and save the file.
Next we need to edit the file vi /etc/default/puppet and make changes from no to yes as show belo:
nano /etc/default/puppet
[...]
START=yes
[...]
Now we are ready to start the puppet service, it will be done as follows:
service puppet start
Now our client machine is ready to communicate with Puppet Master server.
4 Cert exchange from Puppet master to puppet client
After the successful configuration Puppet client Ubuntu Desktop will search Puppet master Server and ask for cert request before accepting any administrative instructions from Master puppet server.
To view such cert request run the command at Puppet Master Ubuntu server.
puppet cert list
root@server1:~# puppet cert list
"desktop1.example.com" (SHA256) BD:F7:7C:76:48:09:C5:FE:0C:A8:CD:81:92:1D:A4:1F:15:1C:1A:6E:DE:C1:3C:B4:CA:FC:C6:2F:B4:9A:91:74
root@server1:~#
"desktop1.example.com" (SHA256) BD:F7:7C:76:48:09:C5:FE:0C:A8:CD:81:92:1D:A4:1F:15:1C:1A:6E:DE:C1:3C:B4:CA:FC:C6:2F:B4:9A:91:74
root@server1:~#
It means that there is a machine named as dekstop1.example.com which came into existence and asking for cert request. Now the puppet master server must sign the cert requested from puppet client. It can be done as follows:
puppet cert sign desktop1.example.com
The output will be like this:
root@server1:~# puppet cert sign desktop1.example.comNotice: Signed certificate request for desktop1.example.com
Notice: Removing file Puppet::SSL::CertificateRequest desktop1.example.com at '/var/lib/puppet/ssl/ca/requests/desktop1.example.com.pem'
root@server1:~#
It means the request from desktop machine is accepted at Puppet master machine. We can check that with command as well:
puppet cert list -all
root@server1:~# puppet cert list -all+ "desktop1.example.com" (SHA256) 7A:B7:CE:C4:A0:05:99:E7:E2:53:AD:D2:7F:6E:B5:38:CA:87:E0:8D:C7:0E:71:89:82:E1:17:FA:9D:B1:01:6D
+ "server1.server1.example.com" (SHA256) FF:E2:49:B9:2F:B4:D1:79:21:E9:1A:83:22:FA:DB:E8:5D:9B:9A:1C:E1:4D:83:B9:16:9D:FD:8B:72:FD:62:5F (alt names: "DNS:puppet", "DNS:puppet.server1.example.com", "DNS:server1.server1.example.com")
root@server1:~#
The above + sign in the output shows successful certificate signing at Puppet master Ubuntu Server.
To view the client cert fingerprint at Puppet Client Ubuntu desktop, run:
puppet agent --fingerprint
root@desktop1:~# puppet agent --fingerprint
(SHA256) 7A:B7:CE:C4:A0:05:99:E7:E2:53:AD:D2:7F:6E:B5:38:CA:87:E0:8D:C7:0E:71:89:82:E1:17:FA:9D:B1:01:6D
root@desktop1:~#
(SHA256) 7A:B7:CE:C4:A0:05:99:E7:E2:53:AD:D2:7F:6E:B5:38:CA:87:E0:8D:C7:0E:71:89:82:E1:17:FA:9D:B1:01:6D
root@desktop1:~#
Similarly we can add any number of clients with Puppet master Ubuntu Server and sign the cert requests from the clients. If for any administrative requiremnet you wish to to revoke the certs from the Puppet master Ubuntu Server we can run:
puppet cert clean desktop1.example.com
root@server1:~# puppet cert clean desktop1.example.com
Notice: Revoked certificate with serial 3
Notice: Removing file Puppet::SSL::Certificate desktop1.example.com at '/var/lib/puppet/ssl/ca/signed/desktop1.example.com.pem'
Notice: Removing file Puppet::SSL::Certificate desktop1.example.com at '/var/lib/puppet/ssl/certs/desktop1.example.com.pem'
root@server1:~#
Notice: Revoked certificate with serial 3
Notice: Removing file Puppet::SSL::Certificate desktop1.example.com at '/var/lib/puppet/ssl/ca/signed/desktop1.example.com.pem'
Notice: Removing file Puppet::SSL::Certificate desktop1.example.com at '/var/lib/puppet/ssl/certs/desktop1.example.com.pem'
root@server1:~#
To be sure the certificates are completely removed on the Puppet Master Ubuntu server I explicitly cleaned them again
puppet cert -c
Note Above I have just mentioned how we can revoke the cert and diconnect the Desktop from Puppet master server.
As mentioned above we can connect N number of desktops and do the administrations centrally through the Puppet master server. Congratulations! Now we have a fully functional Puppet instance on our Ubuntu 14.04 :)
5 Links
- Puppet: http://puppetlabs.com/
- Ubuntu : http://www.ubuntu.com/
No comments:
Post a Comment